@j0hanz/superfetch 1.2.5 → 2.0.1

package/dist/http/server-config.js

@@ -0,0 +1,40 @@
+import { config } from '../config/index.js';
+import { logError } from '../services/logger.js';
+export function assertHttpConfiguration() {
+    ensureBindAllowed();
+    ensureStaticTokens();
+    if (config.auth.mode === 'oauth') {
+        ensureOauthConfiguration();
+    }
+}
+function ensureBindAllowed() {
+    const isLoopback = ['127.0.0.1', '::1', 'localhost'].includes(config.server.host);
+    if (!config.security.allowRemote && !isLoopback) {
+        logError('Refusing to bind to non-loopback host without ALLOW_REMOTE=true', { host: config.server.host });
+        process.exit(1);
+    }
+    if (config.security.allowRemote && config.auth.mode !== 'oauth') {
+        logError('Remote HTTP mode requires OAuth configuration; refusing to start');
+        process.exit(1);
+    }
+}
+function ensureStaticTokens() {
+    if (config.auth.mode === 'static' && config.auth.staticTokens.length === 0) {
+        logError('At least one static access token is required for HTTP mode');
+        process.exit(1);
+    }
+}
+function ensureOauthConfiguration() {
+    if (!config.auth.issuerUrl || !config.auth.authorizationUrl) {
+        logError('OAUTH_ISSUER_URL and OAUTH_AUTHORIZATION_URL are required for OAuth mode');
+        process.exit(1);
+    }
+    if (!config.auth.tokenUrl) {
+        logError('OAUTH_TOKEN_URL is required for OAuth mode');
+        process.exit(1);
+    }
+    if (!config.auth.introspectionUrl) {
+        logError('OAUTH_INTROSPECTION_URL is required for OAuth mode');
+        process.exit(1);
+    }
+}

package/dist/http/server-middleware.d.ts

@@ -1,9 +1,7 @@
-import type { Express, NextFunction, Request, RequestHandler, Response } from 'express';
-export declare function buildCorsOptions(): {
-    allowedOrigins: string[];
-    allowAllOrigins: boolean;
-};
-export declare function createJsonParseErrorHandler(): (err: Error, _req: Request, res: Response, next: NextFunction) => void;
-export declare function createContextMiddleware(): (req: Request, _res: Response, next: NextFunction) => void;
-export declare function registerHealthRoute(app: Express): void;
-export declare function attachBaseMiddleware(app: Express, jsonParser: RequestHandler, rateLimitMiddleware: RequestHandler, authMiddleware: RequestHandler, corsMiddleware: RequestHandler): void;
+import type { Express, RequestHandler } from 'express';
+export declare function attachBaseMiddleware(options: {
+    app: Express;
+    jsonParser: RequestHandler;
+    rateLimitMiddleware: RequestHandler;
+    corsMiddleware: RequestHandler;
+}): void;

package/dist/http/server-middleware.js

@@ -1,70 +1,9 @@
 import { randomUUID } from 'node:crypto';
 import { config } from '../config/index.js';
-import { bindToRequestContext, runWithRequestContext, } from '../services/context.js';
+import { runWithRequestContext } from '../services/context.js';
+import { createHostValidationMiddleware, createOriginValidationMiddleware, } from './host-allowlist.js';
 import { getSessionId } from './sessions.js';
-const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
-function normalizeHost(value) {
-    const trimmed = value.trim().toLowerCase();
-    if (!trimmed)
-        return null;
-    const first = trimmed.split(',')[0]?.trim();
-    if (!first)
-        return null;
-    if (first.startsWith('[')) {
-        const end = first.indexOf(']');
-        if (end === -1)
-            return null;
-        return first.slice(1, end);
-    }
-    const colonIndex = first.indexOf(':');
-    if (colonIndex !== -1) {
-        return first.slice(0, colonIndex);
-    }
-    return first;
-}
-function buildAllowedHosts() {
-    const allowedHosts = new Set();
-    const raw = process.env.ALLOWED_HOSTS ?? '';
-    for (const entry of raw.split(',')) {
-        const normalized = normalizeHost(entry);
-        if (normalized) {
-            allowedHosts.add(normalized);
-        }
-    }
-    for (const host of LOOPBACK_HOSTS) {
-        allowedHosts.add(host);
-    }
-    const configuredHost = normalizeHost(config.server.host);
-    if (configuredHost &&
-        configuredHost !== '0.0.0.0' &&
-        configuredHost !== '::') {
-        allowedHosts.add(configuredHost);
-    }
-    return allowedHosts;
-}
-function createHostValidationMiddleware() {
-    const allowedHosts = buildAllowedHosts();
-    return (req, res, next) => {
-        const hostHeader = typeof req.headers.host === 'string' ? req.headers.host : '';
-        const normalized = normalizeHost(hostHeader);
-        if (!normalized || !allowedHosts.has(normalized)) {
-            res.status(403).json({
-                error: 'Host not allowed',
-                code: 'HOST_NOT_ALLOWED',
-            });
-            return;
-        }
-        next();
-    };
-}
-export function buildCorsOptions() {
-    const allowedOrigins = process.env.ALLOWED_ORIGINS
-        ? process.env.ALLOWED_ORIGINS.split(',').map((o) => o.trim())
-        : [];
-    const allowAllOrigins = process.env.CORS_ALLOW_ALL === 'true';
-    return { allowedOrigins, allowAllOrigins };
-}
-export function createJsonParseErrorHandler() {
+function createJsonParseErrorHandler() {
     return (err, _req, res, next) => {
         if (err instanceof SyntaxError && 'body' in err) {
             res.status(400).json({
@@ -80,18 +19,17 @@ export function createJsonParseErrorHandler() {
         next();
     };
 }
-export function createContextMiddleware() {
+function createContextMiddleware() {
     return (req, _res, next) => {
         const requestId = randomUUID();
         const sessionId = getSessionId(req);
         const context = sessionId === undefined ? { requestId } : { requestId, sessionId };
         runWithRequestContext(context, () => {
-            const boundNext = bindToRequestContext(next);
-            boundNext();
+            next();
         });
     };
 }
-export function registerHealthRoute(app) {
+function registerHealthRoute(app) {
     app.get('/health', (_req, res) => {
         res.json({
             status: 'healthy',
@@ -101,13 +39,14 @@ export function registerHealthRoute(app) {
         });
     });
 }
-export function attachBaseMiddleware(app, jsonParser, rateLimitMiddleware, authMiddleware, corsMiddleware) {
+export function attachBaseMiddleware(options) {
+    const { app, jsonParser, rateLimitMiddleware, corsMiddleware } = options;
     app.use(createHostValidationMiddleware());
+    app.use(createOriginValidationMiddleware());
     app.use(jsonParser);
     app.use(createContextMiddleware());
     app.use(createJsonParseErrorHandler());
     app.use(corsMiddleware);
     app.use('/mcp', rateLimitMiddleware);
-    app.use(authMiddleware);
     registerHealthRoute(app);
 }

package/dist/http/server-shutdown.d.ts

@@ -0,0 +1,4 @@
+import type { Express } from 'express';
+import type { SessionStore } from './sessions.js';
+export declare function createShutdownHandler(server: ReturnType<Express['listen']>, sessionStore: SessionStore, sessionCleanupController: AbortController, stopRateLimitCleanup: () => void): (signal: string) => Promise<void>;
+export declare function registerSignalHandlers(shutdown: (signal: string) => Promise<void>): void;

package/dist/http/server-shutdown.js

@@ -0,0 +1,43 @@
+import { destroyAgents } from '../services/fetcher/agents.js';
+import { logError, logInfo, logWarn } from '../services/logger.js';
+import { getErrorMessage } from '../utils/error-details.js';
+export function createShutdownHandler(server, sessionStore, sessionCleanupController, stopRateLimitCleanup) {
+    return (signal) => shutdownServer(signal, server, sessionStore, sessionCleanupController, stopRateLimitCleanup);
+}
+async function shutdownServer(signal, server, sessionStore, sessionCleanupController, stopRateLimitCleanup) {
+    logInfo(`${signal} received, shutting down gracefully...`);
+    stopRateLimitCleanup();
+    sessionCleanupController.abort();
+    await closeSessions(sessionStore);
+    destroyAgents();
+    closeServer(server);
+    scheduleForcedShutdown(10000);
+}
+async function closeSessions(sessionStore) {
+    const sessions = sessionStore.clear();
+    await Promise.allSettled(sessions.map((session) => session.transport.close().catch((error) => {
+        logWarn('Failed to close session during shutdown', {
+            error: getErrorMessage(error),
+        });
+    })));
+}
+function closeServer(server) {
+    server.close(() => {
+        logInfo('HTTP server closed');
+        process.exit(0);
+    });
+}
+function scheduleForcedShutdown(timeoutMs) {
+    setTimeout(() => {
+        logError('Forced shutdown after timeout');
+        process.exit(1);
+    }, timeoutMs).unref();
+}
+export function registerSignalHandlers(shutdown) {
+    process.on('SIGINT', () => {
+        void shutdown('SIGINT');
+    });
+    process.on('SIGTERM', () => {
+        void shutdown('SIGTERM');
+    });
+}

package/dist/http/server.d.ts

@@ -1,3 +1,13 @@
+import type { Express, NextFunction, Request, RequestHandler, Response } from 'express';
+export declare function createCorsMiddleware(): (req: Request, res: Response, next: NextFunction) => void;
+export declare function attachBaseMiddleware(options: {
+    app: Express;
+    jsonParser: RequestHandler;
+    rateLimitMiddleware: RequestHandler;
+    corsMiddleware: RequestHandler;
+}): void;
+export declare function registerDownloadRoutes(app: Express): void;
+export declare function errorHandler(err: Error, req: Request, res: Response, next: NextFunction): void;
 export declare function startHttpServer(): Promise<{
     shutdown: (signal: string) => Promise<void>;
 }>;